Catbird vsecurity : Security and Compliance For The Virtualized Data Center www.catbird.com 2011 Catbird All rights reserved
Catbird vsecurity: Securing the Virtual & Cloud Data Center Executive Summary As virtualization expands to sensitive and mission critical systems, security professionals must ensure that the virtualized systems they oversee remain secure and compliant. As with any significant technological change, virtualization and cloud computing bring new security challenges, but also the unique opportunity to do security better. Why Virtualization Security? Virtualized security makes sense just like virtualization made sense. Virtualization improves security by making it more fluid and context- aware. Security policies are automated and can move along with VMs. This means security is more accurate, easier to manage and less expensive to deploy than traditional physical security. In fact, with the right technology and processes, virtualization has the power to make data centers even more secure and compliant than their physical counterparts. So if your data center is virtual, why would you not virtualize security? Can Physical Security Protect Virtual Systems? Physical security devices were not designed to deal with the significant architectural changes brought by virtualization. Traditional security depends on physical devices deployed on the perimeter of the data center, completely unaware of the significant security- related activity within virtual infrastructure. For security professionals who fail to adapt, virtualization poses a significant risk. As independent 3 rd parties such as PCI and NIST have codified, without appropriate technology and training, virtualization and cloud systems will face significant security and compliance gaps. Such gaps include blind virtual networks, access control failures, loss of change controls, a new threat surface in the form of the hypervisor, breakdown in separation of duties and escalation of privilege. New technology is now available to address these potential gaps while also reducing cost and complexity. Why Catbird? Catbird is the industry leader in security and compliance for virtualized, cloud and physical environments, earning numerous awards - including four consecutive VMworld Best- of- Show Finalist awards and a Gartner s Cool Vendor 2011 designation. What is Catbird vsecurity? vsecurity harnesses the power of virtualization to provide the industry s most comprehensive security and compliance solution for virtual and cloud systems. Catbird includes the industry s broadest set of controls customized and automated for virtualized infrastructure, delivering defense- in- depth essential to compliance with PCI, NIST, FISMA, DIACAP and other industry standards. Catbird vsecurity s broad coverage includes: Access Controls such as NAC and Firewall, Vulnerability Management, Incident Response (IDS/IPS), Configuration Management, Change Management, and Auditing. In addition, Catbird reduces complexity and lowers costs through the automation and consolidation benefits of Catbird TrustZones and vcompliance, ground- breaking innovations that are core vsecurity features: TrustZones : Agile, Dynamic and Elastic Security Catbird pioneered logical zoning in virtual infrastructure to deliver a level of automation and orchestration previously unseen in any type of data center. Freed from the static nature of physical attributes such as IP and MAC addresses, vsecurity provides a flexible policy envelope around logical groupings of virtual machines, independent of physical host or mobility events. This policy envelope a TrustZone - is context- aware, leveraging virtual attributes and adaptable to changes real- time. Catbird TrustZones float with the workloads, enterprise- wide, across both virtual and cloud infrastructure. vcompliance : Continous Workflow and Reporting The industry s only virtualization security solution that offers automated mapping of security policies to industry- standards, best practices, and regulatory requirements with integrated workflow and reporting, vcompliance is a real time system for virtual compliance reporting against PCI, FISMA and COBIT among other important 3 rd party standards. With predefined templates for easy configuration, ensuring virtual data center compliance with a standard of choice is as simple as a button- click. Security that is more accurate, faster and cheaper is the promise of virtualized security and the reality delivered by Catbird. 2
Detailed Overview Why Virtualization Security Many customers are under the mistaken belief that traditional security can be used to secure virtual infrastructure. Why is additional security needed if the physical data center was secure and the new virtualization platform is secure as well? The answer lies in the nature of the changes to the infrastructure, illustrated in Figure 1. Figure 1: Changes in technology are at the source of the security gaps in Virtual and Cloud Systems. Virtualization brings four significant changes: a new virtual network fabric, machines become files, virtual administrators and the hypervisor. Each of these changes brings unique security challenges. Technology Changes Create Security Gaps There are four main areas of change that are brought about by virtualization: New virtual networks, VM mobility events, virtual configuration changes and the hypervisor. Physical security devices were not designed to deal with the significant changes listed above. They are blind to the new virtual networks. They do not protect the new threat surface (they hypervisor). As the enterprise transitions its data center from physical to virtual, it will need to transition security from a static world of servers, IP and MACs to a new virtual world where security policy is decoupled from physical location and attributes are associated instead with logical attributes. The effect and associated risks are outlined in Table 2 below. The Appendix at the end of this paper describes in more detail the impact of virtual architecture on traditional security. 3
Table 2: Security gaps moving from traditional data centers. Each change has a corresponding effect and risk. The security gaps cannot be covered with traditional physical security devices since they were not designed to deal with these changes. Benefits of Virtualization Security Virtualization and cloud computing bring a unique opportunity to do security differently. IT can take advantage of the power of the hypervisor s monitoring and enforcement capabilities to reduce the cost and complexity of security in the data center, and yet be even more secure. Virtualization security brings the following unique capabilities not available from physical security devices: Context- awareness Security Virtual Machine Appliances (VMA) operate inside the virtual infrastructure, securing from within, leveraging contextual information available through hypervisor APIs for enhanced monitoring and enforcement. Automated Provisioning Security VMAs can be provisioned at the speed of light, automatically, with little human intervention. Policy- based Security Security VMAs can inject security policy into the infrastructure when and where it s needed based on pre- defined policies built upon best- practices and compliance standards. Low cost Security VMAs are inexpensive because the load is distributed, thereby leveraging the power of virtual systems to share resources. Compliance Automation The combination of the above automated, policy- driven security - leads to instant, real- time compliance monitoring and enforcement. Virtualized security makes sense just like virtualization made sense. Virtualization improves security by making it more fluid and context- aware. It lowers costs. It works because security policies are automated and can move along with VMs. It all adds up to being more accurate, easier to manage and less expensive than traditional physical security. Catbird vsecurity Catbird vsecurity is the industry s most comprehensive security and compliance solution for virtual and cloud systems. vsecurity not only addresses the security and compliance gaps previously outlined, but delivers on the promise of virtualization security: lower costs, automation and consolidation. vsecurity includes the 4
industry s broadest set of security controls integrated in a single product, operating inside the virtual infrastructure, including Access Controls such as Network Access Control (NAC) and Firewall, Configuration Management, Change Management Vulnerability Management, Incident Response (IDS/IPS) and Auditing. vsecurity utilizes hypervisor APIs and security controls to orchestrate and correlate security using four key features: TrustZones, HypervisorShield, VMShield, and vcompliance described below. TrustZones automates security policy deployment and management, commonly known in the industry as security orchestration. TrustZones ensure that policy floats with the workloads, enterprise- wide, across both virtual and cloud infrastructure providing the agility, dynamism and elasticity characteristic of virtualization. Freed from the static nature of physical attributes, such as IP and MAC addresses, TrustZones are context- aware, leveraging virtual attributes and capable of adapting to change real- time. Figure 2 below illustrates the coexistence of two TrustZones with different security policies spanning two virtual hosts. Figures 3 and 4 provide screen shots of vsecurity showing multiple TrustZones connectivity and Zone membership respectively. Figure 2: Example of two TrustZones, one with PCI policy the other with GLBA, coexisting within a single cluster. The TrustZones are enforced via the Catbird Virtual Machine Appliances (VMA). The Catbird VMA provides monitoring and enforcement via hypervisor APIs and virtual switch interfaces. TrustZones Capabilities Logical zoning, enabling grouping of assets that share a common security policy, independent of physical host Inventory control via TrustZones membership Automatic membership based on common naming conventions, port groups or CDRs Policy-based security orchestration applied to all members Zone Access Control Lists (ZACLs) for network isolation Intra-zone and inter-zone VM isolation Visualization of network activity across and within TrustZones with flow analysis Membership that can span port groups within a switch, VLANs, multiple switches, multiple hosts and even multiple clusters or network space (CIDR) across physical sites, hosted sites and private cloud systems Security policies maintained through vmotion events and changes to IP or MAC addresses Virtual machine controls through tracking, analysis and quarantine Alert and event views of all activity with granular filtering for detailed analysis CVE-compliant and PCI-compliant vulnerability monitoring CVE-compliant IDS/IPS with zero-day threat intelligence 5
Figure 3: vsecurity logically organizes all assets into TrustZones, represented by Clouds. The diagram above shows five TrustZones : Open, DMZ, Management, Workgroup and Untrusted. Cloud members are virtual machines, 42 of which are in the Untrusted Zone on the right and 5 are in the Management Zone. Cloud membership is independent of physical location. Connectivity relationships between Zones is indicated by arrows representing network flows. The lower half of the screen shows the Logical Zoning as defined by the Catbird TrustZone Access Rules. These rules define the connectivity relationship between the TrustZones. Figure 4 shows the members of the Management Zone. Connectivity between Assets and between TrustZones is depicted by the arrows. The Assets MAC, IP and Port Group are provided at the bottom of the screen. 6
HypervisorShield is a pre- defined policy to automatically protect against inadvertent management error and malicious attacks. It does so by defining and implementing a security policy specifically for the Hypervisor management network and other hypervisor management components. HypervisorShield performs the following functions: Uses network security tools to validate that the hypervisor network is configured according to best practices as defined by security policy, Applies specific IDS/IPS rules to detect and enforce protocol and port level controls to block malicious network activity directed at the hypervisor from unauthorized virtual machines Logs activity pertaining to the hypervisor and provides audit trails independent of virtual host logs Utilizes Network Access Control (NAC) to monitor and quarantine for unauthorized devices attempting to access the hypervisor management network VMShield allows for customization of policy to protect individual assets within TrustZones. While members inherit the TrustZones policy, the policy may be tailored for each individual member. VMShield allows the following controls to be modified: Uses network security tools to validate the asset configuration Applies specific IDS/IPS rules to detect and enforce protocol and port level controls to block malicious network activity directed at the specific asset from any source Logs activity pertaining to the specific asset and provides audit trails independent of virtual host logs vcompliance is the only product in the industry specifically designed to monitor and enforce compliance for virtual and cloud environments. vcompliance is also the industry s only integrated workflow and reporting system for virtual compliance reporting against PCI, NIST, FISMA, DIACAP and other compliance standards.. It automates the compliance process by mapping security policies to industry- standards, best practices, and then presenting real- time reporting status of the monitored data center against the standard. vcompliance maps the underlying security controls to the regulatory framework, delivering dashboards at both TrustZones and VM levels, as along with reporting to demonstrate continuous compliance (see Figure 5 below). vcompliance metrics can be utilized by 3 rd party enterprise- wide Security Information Management Systems and Governance, Risk and Compliance (GRC) systems. Figure 5 shows Catbird s compliance dashboard. Above we see the real-time compliance posture of the Management TrustZone against the FISMA compliance framework. TOP: The graph at the center of the screen summarizes the compliance status for the TrustZone. Each radial axis corresponds to a control point on the FISMA framework. The Blue Boundary is the normative baseline for compliance. Red shows the impact after a system is virtualized without Catbird. Grey is the actual compliance posture at that moment, after virtual security. BOTTOM: The table at the bottom of the screen shows the compliance state of the individual assets across each of the seven security controls (Auditing, Inventory Mgmt, Access Control, Configuration Management, Change Management and Incident Response.) Green boxes indicate that controls are in place; red indicates controls are not operational. 7
vsecurity Technical Controls: vsecurity consolidates the most critical security controls into a single product operating inside the virtual infrastructure. TrustZones, HypervisorShield and vcompliance depend on these security controls. The controls encompass all seven functional areas common to defense- in- depth and all compliance frameworks. These seven areas are displayed in the Pie Chart on Figure 6 and are summarized below. Auditing: Virtual network visibility, monitoring and flow analysis based on hypervisor APIs and network security tools, Inventory Management: Virtual machine tracking, analysis and quarantine based on hypervisor APIs, network discovery tools such as nmap, Xprobe2, NAC and IDS. Access Controls based on Catbird native capabilities or VMware vshield App Configuration Management via policy- based monitoring and enforcement of network configuration and activity Change Management controls via network access control (NAC) with automatic virtual machine quarantine Vulnerability Management based on a CVE- compliant vulnerability management system Incident Response via Snort based IDS/IPS with zero- day threat intelligence and Sourcefire VRT rules vsecurity Architecture Catbird V- Security consists of two components: a virtual machine appliance, referred to as the Catbird VMA and the management console, referred to as the Catbird Control Center. You may refer to Figure 7 on the right which shows the VMAs in purple with the Catbird dove icon and the Catbird Control Center virtual machine as the larger purple image. Figure 6: Catbird vsecurity controls Catbird VMA. The Catbird VMA connects to the virtual switch and Figure 7: Catbird deployment architecture other VMware APIs. No changes to existing topology are required. The Catbird Control Center is the command- and- control center for all vsecurity operations and runs as a virtual machine. The VMAs communicate with the Control Center using a secure connection. Network loads due to communication with the Control Center are minimal. The VMA load on the virtual host is a function of the level of monitoring and the number of VMs but is typically less than 25% of one core. Due to the dynamic nature of security threats, both the virtual appliances and Control Center require continuous updates from Catbird via file transfer. Catbird Control Center. The Catbird Control Center is a single virtual machine instance with no limit on the number of Catbird VMAs or sites it can manage. It is a web- based management console. The Control Center supports multi- tenant role- based access control, integration with Active Directory and other multi- factor authentication mechanisms. The Control Center manages the Catbird VMAs providing management, data correlation, data analysis, logging and integration with other vendor products. Large organizations federate Control Center instances to provide global security management and reporting. 8
Conclusion Virtualization technology delivers a highly dynamic and significantly more cost- effective data center, fundamentally changing the way servers are deployed and managed. It also offers an opportunity to change the way security is architected. Virtualization can improve security by making it more fluid and context- aware. Security policy orchestration is possible through automation based on TrustZones, enabling security to be elastic and move along with VMs. Security orchestration is more accurate, easier to manage and less expensive to deploy than traditional physical security. Security can harness the power of virtualization to make data centers even more secure and compliant than their physical counterparts. Ultimately the success of a virtualization strategy will depend on its ability to deliver automated and elastic security that is able to respond to the needs of the new data center. Many IT professionals we speak to are under the mistaken belief that traditional security can be used to secure virtual infrastructure. The volatile mixture of virtual and cloud data centers combined with the static nature of physical security is a potent combination that should be managed with extreme care. Those who operate sensitive and mission critical systems in virtual and cloud infrastructure and fail to adapt their security processes are taking an unnecessary risk. New technology is now available to address these potential gaps while also reducing cost and complexity. Many of the security and compliance gaps introduced by virtualization can be solved with better processes. Most will require a virtualized security technology like Catbird that brings visibility, management and control to virtual infrastructure. In all cases, operations and security teams need to work together on building- in security from project inception and recognize that traditional approaches are inadequate for this new paradigm. 9
Appendix: Security Gaps in Virtual and Cloud Systems Virtual and Cloud systems are fundamentally different than their physical counterparts. Virtualization poses a significant challenge to existing perimeter- based security and physical network security. Physical security devices such as firewalls and other network- based security systems are not designed to manage the abstraction and rapid rates of change common to virtual and cloud systems. The changes virtualization brings to security can be grouped into four categories: (1) a New Virtual Network Fabric (2) Machines Become Files (3) Virtual Administrators and (4) the Hypervisor. The changes and impacts described in these four categories are corroborated in the guidelines published by independent 3 rd parties such as PCI and NIST. Numerous independent organizations are currently calling for appropriate technology and training for virtualization and cloud systems. Without adoption of new technology and processes, data centers face significant security and compliance gaps including access control failures, loss of change controls, breakdown in the separation of duties and escalation of privileges. This section will provide a brief description of the impact driving the security gaps in virtual and cloud systems. 1. New Virtual Network Fabric: Access Control Failures. In a virtualized environment dozens or even hundreds of guest operating systems or virtual machines - may be running simultaneously under one or more hypervisors (Cluster). Virtualization comes with its own virtual network fabric, which include virtual segments (port- groups), virtual routers and switches inside the Cluster. Due to high levels of consolidation, VMs likely interoperate with each other via this new virtual network infrastructure. These capabilities create the potential threats summarized below. New Blind Spots Created. Virtual networks run inside the physical host, handling traffic that is invisible to traditional physical security devices that rely on physical network inspection. A physical port in the data center that previously served a single physical server now represents hundreds of virtual servers. Blind spots Grow Exponentially. Physical network attributes such as IP and MAC addresses can no longer be relied upon to uniquely identify VMs since they can be easily modified or misconfigured. Physical Security Solutions Inadequate. Traditional physical firewalls, IDS/IPS and Network Access Control solutions depend upon static IP and MAC addresses as a cornerstone of their monitoring and mitigation. They are unprepared for mobility events nor changes in MAC and IP addresses. Catbird Mitigation: Catbird vsecurity removes these blind spots and delivers virtualization-aware access controls by operating within the virtual host using the virtual switch and hypervisor interfaces. Catbird monitoring blends new hypervisor-based capabilities with classic network-based security tools: vulnerability management, change control, network segmentation, network admission control, intrusion detection and prevention. 2. Machines become Files: Loss of Change Control. Virtual systems rely convert physical servers and desktops into files, known as virtual machines (VMs). These files can be easily modified and cloned to create new VM images with just a few keystrokes. The ability to provision entire systems quickly and easily is of huge benefit to business users. In addition, VMs are typically subject to Mobility Events. These events refer to the ability of VMs to automatically relocate themselves to another location. These capabilities create the following potential threats: Loss of Change Control. Most organizations have an established protocol for data center servers. Different protocols are applied to machines with different tasks or policies. In the physical world, it is relatively straightforward to ensure that new machines added to a data center adhere to the configuration policies assigned to that group and that they be introduced in a controlled and coordinated manner. In current virtualized data centers, this process can no longer be
enforced due to the power and flexibility of virtual systems and the virtual administrator. Virtual administrators can create and delete, clone, share, move and even roll back the execution state of a virtual machine. Errors in configuration are inevitable including multiple machines sharing the same domain identity. Virtual Machine Mobility. Mobility events are an essential feature of Virtual systems and underlie many of the sophisticated Disaster Recovery (DR) and High Availability (HA) capabilities that are highly prized in the new virtual data center. DR and HA rely heavily on automated load balancing that requires the movement of VMs across a group of virtual hosts (Cluster). These mobility events can confuse static policies and other security mechanisms designed for traditional physical servers and networks. Virtual Security products must handle mobility events intelligently by being aware of these events and leveraging platform and management APIs to allow administrators to enforce controls over the VMs irrespective of their physical locations. Catbird Mitigation. Catbird vsecurity delivers a combination of sophisticated virtual machine tracking, along with a management framework for auditing virtual machine state. Catbird TrustZones ensure that guest systems are protected, independent of location and through mobility events. The Catbird Control Center audits the state of the virtual machines over their lifetimes, supplying forensics for root cause analysis. Catbird provides independent enforcement of security and compliance, and can alert administrators about fat finger or configuration errors. Catbird allows administrators to establish a topology upfront that enforces network. 3. Virtual Administrators: Collapse of Roles, Loss of Checks and Balances. One of the key benefits of virtual environments is the enhanced role and power of the virtual administrator (VA), enabling a more dynamic and responsive data center. The virtual administrator combines most, if not all, of the privileges of a domain administrator, root user, network and security operations. This collapses operational roles, reduces Separation of Duties (SoD) and vastly increases the risks of escalation of privilege and abuse of privilege. A single administrator has all of the keys to the kingdom. This collapse of roles is a significant change and increased risks. Risk of Misconfiguration. Think of the people and paper required to routinely set up a new server in a physical, secure, data center. There are the procurement people, the network people, the data center floor managers, the operations people and perhaps even a security manager. If any one of them makes an inadvertent error, the likelihood is another would catch it before it became an exploitable issue. By contrast, the virtualized data center allows one operator to control the system, network and security infrastructure completely. Insider Abuse of Privileges. This collapse of process protection may allow an administrator to compromise virtual guests and their data. Malicious administrators may decrypt network traffic5, snapshot data or systems, or even peek into physical memory covertly with little fear of detection. Combined with a lack of surveillance of the virtual environment, this would not only allow but may embolden a rogue administrator to do irreparable damage. Absence of Belt-and-Suspender Controls. Most security vulnerabilities happen not from malicious hackers but from inadvertent human error. Standard practice on physical networks in regulated data centers mandate automated tools (often built into system software) to monitor for such error, essentially functioning as belt and suspenders. These secondary and backup controls essential to compliance - are absent in virtualization platforms. Network controls to prevent unauthorized or anonymous access do not exist. Dual controls to prevent abuse of privilege do not exist. Automation to ensure secure life-cycle and strict change controls do not exist. Insecure or unauthorized hypervisor configuration negates secondary controls. Together, these omissions compound each other, leading to weaknesses easily exploited. Catbird Mitigation: Catbird addresses the challenges brought on by the new virtual administrator. Catbird delivers controls over the virtual administrator, compensating for SoD, audit and least-privilege principles affected by virtualization. Catbird implements common controls for network policy and virtual platform administration. Catbird supports access controls to enforce authority, and includes features to separate roles and organize proper virtual network segmentation for policy containment and enforcement. 11
4. Hypervisor: Escalation of Privilege. The hypervisor presents a new target for attacks. Since all virtual machines depend on the hypervisor to manage virtual processes, the hypervisor is a single point of failure for the entire virtual infrastructure. For heavily virtualized data centers, gaining access to hypervisor privileges represents the most valuable target for exploit. The threat vectors for unauthorized access to hypervisor are outlined below. Theft of Credentials. The weakest link is access to the VA credentials in order to gain direct console access to the hypervisor user interface (CLI). This requires physical access to the hypervisor host. This threat vector typically begins with human error and improper configuration of the virtualization environment by an authorized user or unauthorized access by a malicious user. Network access to the hypervisor UI. This is accomplished via virtual network (VM to hypervisor) or non-virtualized network access to the host interface. This threat vector arises from virtual network access or attack from compromised or misused virtual machine Other than outright theft of VA credential, malicious network access is the most critical risk factor, as it represents both the highest probability of attack and the highest cost incurred from a successful attack. For example, an infected virtual machine can launch a DOS attack against the hypervisor. This virtualized attack is invisible to a non-virtualized security device. Hypervisor Vulnerabilities. Like any application, the hypervisor is not immune to defects or vulnerabilities: risks exist from MMU, driver, management, direct I/O and API based attack vectors The hypervisor attack surface consists of the following access methods. Virtual machine break out. A more obscure but technical feasible threat is s a subversion of the hypervisor through manipulation of the shared memory or via the hooks required to run the VM. Catbird Mitigation: Continuous validation of the hypervisor configuration and environment is required to assure the integrity of the hypervisor and the security of the virtual machines. Monitoring must include oversight and visibility into the virtual administrator activities. Catbird delivers automated and continuous validation of the hypervisor environment required to assure the integrity of the hypervisor management network and the security of the virtual machines. Catbird monitoring includes oversight and visibility into the virtual administrator activities. Catbird also implements dual controls for privileged activities and for administrative override. Catbird vsecurity delivers effective oversight on operations personnel as well. 12